News and Insights
Visit regularly for up-to-date information on relevant news, firm announcements and additions to our AZ Health Law Blog.
On November 14, 2014, the Indiana Court of Appeals upheld a $1.4 million jury verdict holding Walgreen Co., the owner of Walgreens pharmacies (“Walgreens”), liable after one of the company’s pharmacists shared a customer’s confidential medical records in violation of the Health Insurance Portability and Accountability Act (HIPAA). According to court records, the pharmacist searched the customer’s confidential prescription history for any records indicating that the customer had been treated for a sexually transmitted disease. The pharmacist then printed out the prescription history and provided it to the customer’s ex-boyfriend.
 Walgreen Co. v. Hinchy, No. 49A02-1311-CT-950 (Ind. Ct. App. 2014)
by Emily D. Armstrong
Are you or providers sending patient information via text? Are you or providers communicating about patients via text? If the answer to either of these questions is “yes,” beware this could result in fines and legal violations.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a Federal law that addresses, in part, the security and privacy of health data. The law requires the Department of Health and Human Services (“HHS”) to establish rules for the handling of protected health information (“PHI”).
 42 U.S.C. § 1320d et seq.
On August 14, 2013, the Office for Civil Rights (“OCR”) settled violations of HIPAA with Affinity Health Plan, Inc., for over $1.2 million. The settlement arose out of a breach report submitted by Affinity in which it acknowledged that information relating to possibly 344,579 individuals may have been improperly disclosed.
The improper disclosure was revealed s part of an investigative news report in which CBS Evening News purchased a photocopier previously leased by Affinity. CBS reported to Affinity that the hard drive of the copier contained protected health information (“PHI”). After investigating the breach, Affinity reported the breach to OCR. OCR’s investigation concluded that Affinity impermissibly disclosed the PHI by returning the leased copiers without erasing the data on the hard drives. In addition to the monetary settlement, Affinity was required to enter into a corrective action plan under which Affinity must use its best efforts to retrieve all hard drives that were contained on copiers previously leased by Affinity and take measures to safeguard any electronic PHI.
The issue of mobile devices and electronic protected health information (“ePHI”) has become an area of primary concern as health care providers increasingly use mobile devices to communicate with patients or other providers. The Office of the National Coordinator for Health Information Technology, the agency that spearheads the promotion of health information technology, and the Office for Civil Rights, the agency that enforces HIPAA, have taken steps to address this concern.
As the result of a roundtable discussion and public demand, the agencies have developed an educational initiative in accordance with HIPAA’s Privacy and Security Rules. The initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, offers health care providers and organizations tips on ways to protect their patients’ protected information on laptops, tablets, and smart phones.
The initiative seeks to educate providers on the risks associated with using mobile devices in the office setting, and offers tips to reduce the possibility of improper use or disclosure of the information on the devices, including using encryption software, firewalls, and password protection. The initiative was developed with HIPAA requirements in mind, but it does not guarantee compliance with HIPAA. HIPAA requires providers to assess their security and privacy risks and to develop and implement policies and procedures specific to the use of mobile devices in the office setting.
For more information on this initiative, visit www.HealthIT.gov/mobiledevices
The government has published regulations that make sweeping changes to HIPAA. The regulations implement requirements of the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act of 2008.
The final rule implements the following changes:
- Business associates are directly liable for certain aspects of compliance with HIPAA.
- Disclosures of protected health information (“PHI”) for marketing and fundraising purposes are limited.
- The authorization process for patients being enrolled in research studies is refined.
- Requirements for notifying patients and the government in the event of a breach of unsecured PHI are clarified.
- The penalty structure for violating HIPAA is revised.
- Genetic information may not be used or disclosed by health plans for underwriting purposes.
Further changes to the HIPAA Privacy and Security Rules enable patients to exercise greater control over their information, and how it is used and disclosed. For example, Individuals may instruct their providers not to disclose treatment information to health plans if the individual has paid cash for the treatment, and patients will now be able to request their PHI to be provided to them in electronic form.
The official version of “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Act; Other Modifications to the HIPAA Rules,” will be published in the Federal Register on January 25, 2013.